Want to listen to the full episode and all our other episodes?
Hearsay allows you to fulfill your legal CPD requirements every year.
Our yearly subscription is only $299/year.
With a yearly subscription, you can access all of our episodes AND every episode we release over the next year.
The Privacy Parables II: The AG’s Privacy Report and the Future of Privacy in Australia
What area(s) of law does this episode consider? | The Privacy Act Review Report and the future of privacy in Australia. |
Why is this topic relevant? | On 16 February 2023, the Attorney-General’s Department published the long awaited Privacy Act Review Report (Report). The Report represented the finale of two years of consultation and review of the Privacy Act 1988 (Cth). The question at the heart of the Report was whether the Act and its mechanisms were still fit for purpose. The difference in the digital environment when the Act was passed and the digital environment in which we all live today is stark. The official birthday of the internet is recognised as 1 January 1983 – just five years before the Act. And the World Wide Web – the way we interact with information on the internet today – wasn’t even a twinkle in the eye of Tim Berners-Lee until 1989, and wasn’t royalty free for widespread use until 1993. The explosion of the digital economy since has generated massive benefits for consumers and businesses. But the price of access to the modern digital economy is data. And since 1988 ever larger amounts of it have been generated, stored, used, and disclosed. |
What legislation is considered in this episode? | Privacy Act 1988 (Cth) (Act) Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) (Bill) |
What are the main points? |
Small business exemption
Employee records exemption
Data breaches
|
What are the practical takeaways? |
|
Show notes | Attorney-General’s Department, Privacy Act Review Report (2023) |
David Turner = DT; Alec Christie = AC; Ross Davis = RD
00:00:13 | DT: | Hello and welcome to Hearsay the Legal Podcast, a CPD podcast that allows Australian lawyers to earn their CPD points on the go and at a time that suits them. I’m your host David Turner. Hearsay the Legal Podcast is proudly supported by Lext Australia. Lext’s mission is to improve user experiences in the law and legal services and Hearsay the Legal Podcast is how we’re improving the experience of CPD. On the 16th of February, 2023, the Commonwealth Attorney General’s Department published its long-awaited Privacy Act Review Report – we’ll be calling that the Report in this episode. The Report represented the finalisation of two years of consultation and review of the Privacy Act 1988. The question at the heart of the Report was whether the Act and its mechanisms are still fit for purpose in modern day Australia. Now the difference in the digital environment when the Act was passed in 1988 and the digital environment in which we all live today some 40 years later is stark. The official birthday of the Internet is recognised as the 1st of January 1983, just five years before the Act, and the World Wide Web – the way we all interact with information on the Internet today through our browsers – wasn’t even a twinkle in the eye of Tim Berners-Lee until 1989, and wasn’t even royalty free for widespread use until 1993. Now the explosion of the digital economy, including here in Australia, has generated massive benefits for consumers and businesses, but the price of access to the modern digital economy is data. And since 1988, ever larger amounts of it have been generated, stored, used and disclosed; it truly is the modern day oil. Returning to the podcast today is Alec Christie. Alec is a partner at the Sydney office of Clyde & Co and an expert in all things digital data and privacy. And he was just recently – very recently, in fact – on the podcast on the topic of the GDPR and Australia’s privacy regime and how we measure up. And he’s returning today to update us on the AG’s privacy Report. Alec, welcome back, very recently, to the Hearsay The Legal Podcast. |
00:02:18 | AC: | Thank you, David. It’s great to be back and I’m sorry it’s under such circumstances, like changing the law. |
DT: | Well, not always a bad thing, I suppose, as we’ll get into. | |
AC: | Well, yeah, I think the jury’s out on that one for me. | |
DT: | Well, I’m looking forward to getting into that. Before I do, we have alluded already a couple of times to the fact that you’ve come back pretty quickly after your last episode. And it really speaks to how quickly this area is changing. What have you been working on recently and what have clients been coming to see you about in the privacy law space? | |
AC: | Well, we’ve been very popular, even more popular than usual. That’s probably why you’ve got us back quite a lot faster than you thought. | |
DT: | So making a lot of new friends. | |
AC: | A lot of new friends, indeed, people I never knew existed, but they’re all very close friends now. Let me be a little sarcastic. It’s surprising that a few high profile breaches, the minister naming and shaming people in Parliament, the increase of the fine for serious or repeated invasions of privacy, in other words, privacy breaches up from 2.2 to $50 million or 30% of revenue. And the AG’s Report coming out with 116 changes. Who knew that would create a bit of interest in privacy? TIP: As we’ve said, this isn’t Alec’s first appearance on the podcast. If you missed the last one, we discussed Australia’s privacy regime before the Privacy Act Review Report was published. We knew it was coming, so in that one we talked about the GDPR and its impact on Australian businesses as well as the EU’s view of Australia’s regime. Go check that one out if you haven’t already. It’s episode 83 and it was the first of our Privacy Parables. I suppose as part of that focus – I think partly because of the high profile data breaches and the bad publicity they’ve got – but we’re seeing a lot more uptake in what we call the data destruction or data discovery and destruction. So there’s two elements to that. The first is clients understanding what they’ve got. Now that sounds really silly and obvious, but especially for larger businesses with multiple different businesses or different business units or businesses that have acquired other businesses over time, they truly sometimes do not know what they’ve got; who accesses it, where it goes, is it in third party, is it on site? So mapping that for them and also the piece around the APP 11.2 – which is the obligation to de-identify or destroy after you’ve used it for the purpose – that was one of the things called out in all the big high profile data breaches. So everyone has reacted, and look, I’m not being negative. If you only do one thing in 12 months, getting rid of all of your excess data that you should not lawfully have anymore will significantly reduce both the risk of a data breach and also the impact of that data breach when it happens. The only other thing I want to mention is that we’ve also seen a little bit more interest in the M&A space. Now that seems weird for a privacy lawyer and often it’s not considered as part of an acquisition of a business, but I think with all the high profile data breaches and the escalation in interest, a lot more of our colleagues and our clients are saying; “hang on a minute, we’re buying a business as you said, every business now has data, is it compliant? What are we buying in terms of our risk of non-compliance in privacy?”. So we’re seeing an uptick in that space as well, but the other two in particular is what we’re really focused on at the moment. | |
00:05:46 | DT: | That’s so interesting, the M&A piece around privacy and it really is kind of a – it goes on both sides of the ledger, doesn’t it? As both an asset and a liability. You want to understand the asset that you’re buying, not just the balance sheet assets, but the data that’s sitting in the business, but also how that exposes you. And I think it’s interesting, that’s really only now just starting to be well understood. |
AC: | Well the 50 million fine has helped because in the past you may have thought; “well, you know, if we can deal with all that after we get it”. But now you’ve got to work out: what do you need to do once you’ve acquired that new business and all those information assets? What do you need to do day one and how long do you have before something happens? And unfortunately there’s been significant acquisitions where they’ve literally had a data breach within two weeks of taking over. So truly not their fault, but they weren’t even aware of it because of the lack of due diligence. So it really is an important and growing area. I think long term, I think any business buying another business or company that has any significant data assets, which is most of us at the moment today, really needs to do the due diligence carefully and methodically to know what the size of the potential risk is and what the cost is going to be to fix it up. | |
DT: | You know, we talked as well last time you were on the show about the small business exemption. And you know, I can even imagine… | |
AC: | I think I got a bit angry about it too, didn’t I? I’ll try not to be quite so invested today. | |
00:07:15 | DT: | But you know, I can even imagine for some smaller deals and even kind of your geographic roll up, kind of consolidation type transactions, you might have a situation where the privacy practices from a legal perspective were adequate for the target business, but as they join a much larger corporate group, the framework that applies to them is completely different and it’s not really sufficient to accept the warranty that, you know, we’ve been complying with all laws up to the date of the completion date. |
AC: | Well, that’s a classic example because a small business that does get the benefit of the current exemption can honestly hand on heart say; “yeah, we comply with everything we have to”. But the moment it’s taken over by a business that doesn’t get that exemption, you’re absolutely right, David. And that is something that people have overlooked. It also is the fact that sometimes when you are buying an adjacent business and you take that data and combine it with your core business data, you get something much bigger than one plus one. You get data that can really, you know, deep dive into your customers. So you’ve really got to be careful about what you’re getting, how you’re going to be using it, and, you know, whether they’re compliant pre-acquisition and what changes post-acquisition. | |
DT: | Yeah, those are great tips. It’s interesting to see that those are all coming up. Certainly that big stick, that $50 million long stick. | |
AC: | Certainly helps, yeah. | |
DT: | Yeah. TIP: We discuss more about due diligence in mergers and acquisitions, including what is best practice and the important things to consider, in our episode with Chris Cruikshank from Assured Legal Solutions. That’s episode 80, Careful What You Wish For: Limiting or Waiving Due Diligence in Private Mergers and Acquisitions. Now, when we spoke on the show last time, we were talking about this much awaited privacy Report from the AG’s department. | |
AC: | I said it was coming! | |
00:09:03 | DT: | Well, and here it is. And we were crystal ball gazing a little bit about what it might say. And it’s here now, we know. But it’s been quite a bit of work. It’s two years of consultation, which is great. You know, we don’t always see that sort of comprehensive consultation process in lawmaking. |
AC: | Nor do we always want it, but yeah. | |
DT: | Well, yeah, I suppose there’s extremes in both directions. But extensive consultation, extensive period of drafting and refining here. So how did we get to this point with the Report? How did it kind of come about as a proposal? And how are we ending up? | |
00:09:37 | AC: | So, great question. And you obviously want to get me stirred up for the other questions you’re going to ask me. But look, this started off as your ordinary bog standard review that they build into certain pieces of legislation every five years, every 10 years. There’s got to be a review. How’s it going? What needs to be tweaked? And under the previous government, that was started, as you said two – although I think it’s closer to three years ago – as one of those reviews. Now, first round of consultations went out way back when. And you know, they prompt the consultation with what they’re thinking about, looking at other consultations, other submissions may come in, which may broaden it. But they give you a bit of an idea. And it was a bit ho-hum. It was a bit sort of pedestrian in terms of a tweak here, a consideration there, a bit of this and a bit of that. But then they got the responses, which sort of pushed the envelope a bit. And still under the old government, they had a bit of a rethink and a bit of a refresh. And they put it back out for consultation again with some; a few, quite significant potential changes. One of them being consent for everything, which I immediately just sort of recoiled from. But then we had a couple of things which my team call the perfect storm. I’ve already mentioned them. We had all those data breaches, very significant ones. And just before that, we had a change of government. And then there was the public outcry about these that just keep on going. I mean, some of the data breaches, the public ones – this is a bizarre fact, but we’ve calculated in the team that actually they cover two and a half times the population. Now, of course, that’s impossible because it’s the same people. It’s two and a half times in basically four key data breaches. Which is absurd. So that is the perfect storm. They then sort of took it away again. The new Attorney General zhuzhed it up more, called for more consultation, which really was opened up to some pretty significant areas. And it went from a pedestrian sort of run of the mill review of an act to a significant rethink of our privacy framework and legislation. They then got the responses. They were going to give a government response by the end of 2022. That didn’t happen. As you said, it was released in February with 116 significant – these are not just the consultation ones, these are just the ones that actually suggest a change to the law – proposals. And they then put that out for final comment till 31 March. So we’re expecting any day now. They’ve got a lot on their plate, obviously, but maybe by the end of the year the government should come back and say these are the ones we’re going to action. Tip; we think it’s going to be 80%. They’re bought in generally to the concept – it is the AG’s review. So there has been government involvement in it. And what they have bought into from the beginning is the overarching comment from the report, which is the overarching theme and purpose. We want to make Australian law much, much closer to GDPR. |
DT: | Yeah. And we talked about that on the show last time, that Australian privacy act compliance is not a substitute for GDPR compliance. In fact, the GDPR authorities in the EU and the UK regard it as inadequate. And you do have to separately comply with GDPR if you’re marketing to or making your digital service available to EU and UK citizens. And I think that’s an important point you made as well to remember in terms of predicting how far this report might go in terms of adoption. This isn’t a Royal Commission report that is independently produced from government. And who knows how many of its recommendations will be picked up. It’s not a Law Reform Commission report. This is the AG’s department’s own report. This is coming from the lawmaker. This is highly likely to be adopted in full or largely. | |
AC: | It’s going to be pretty embarrassing if they reject 90% of the suggestions. So, and I think just to your point about GDPR, it’s important to note that moving us closer to GDPR, they’ve not said we’re adopting GDPR. So we will still have our little peculiarities and our little quirks and our little issues. And I’m sure you’re going to ask me about my favourites, the employer records exemptions and the small business later on. But you’re still going to have this problem, which is: most jurisdictions are close enough to be dangerous, but different enough. And GDPR is the outlier that you really do have to have multiple levels of compliance depending upon where you’re operating. And for Australian businesses that now even the mid-size and smaller are looking digitally out of Australia. They’ve then got to comply with four, five, six different jurisdictions. | |
DT: | I mean, we talked before about GDPR really being the gold standard. Is it fair to say that for a digital business that’s operating globally, you know, even as I’m about to say it, I can see the problems with it. To say, well, GDPR is the gold standard, comply with that and you can be reasonably comfortable that you’re complying elsewhere. But as we approach closer and closer to GDPR, but not quite reflecting it, that danger of missing something; not quite fitting the mold of the Australian version gets greater, doesn’t it? | |
AC: | Yeah. And look, we’ve had a lot of clients who do that and think they’re doing the right thing; “oh, Alec, we comply with GDPR so we are bulletproof”. And I go; “not under Australian law you’re not, because you’re not doing this, you’re not doing this”. And that is very different to what you have to do under GDPR. And by the way, Singapore follows closer to Australia than GDPR. Hong Kong has this particularity. Brazil is GDPR+, it’s GDPR and steroids. So, you know, you do have these differences, which mean that you can’t simply apply the one set of a kind of jurisdictional region’s rules to everywhere. I mean, there are some standards out there which can help you comply, but there’s always local peculiarity. So I warn listeners against that. You can’t just implement GDPR and assume that it’s going to fix all of your privacy compliance in Australia. It just doesn’t. | |
DT: | Geez, it certainly sounds like the right area to be practicing. I think some of our listeners are getting their privacy law practices ready to go now. | |
AC: | Let me tell you, it takes an awful lot to get here. It looks pretty easy. And I’ll say that, you know, 75 percent of privacy, once you’ve sort of read it and understood it – and certainly in Australia – is common sense. If you have that it’s that last 25 percent, which I’ve got to tell you is why we get invested in it and why we sit around our team – and I’ll say discuss, but it’s really argue the point – on behalf of clients, because it’s that last 25 percent that is really the difficulty. And that comes down to experience and, you know, a little bit of length of time doing it to understand what the issues may be. | |
DT: | Yeah, it’s where the text of the law meets the real world. | |
AC: | Yeah, exactly. | |
DT: | Yeah. Now, let’s talk about your favorites, the small business exemption and employee records… | |
AC: | Oh, do we have to David?! | |
DT: | We do because they’re being not repealed, not removed, modified. | |
00:16:38 | AC: | OK, so I confess to everyone listening, my bias. You’ll know from the last podcast, I hate these exemptions. I want them to go. So take a little bit of what I’m saying with a pinch of salt. But there’s no doubt in the report they have addressed both of these. Let’s take one at a time. Small business, they’re very clearly saying that this has to go. What they’ve couched it in, however, is; “we need more consultation”. We need to understand the impact of this. We need an impact assessment. We need to establish government supports for it, and we need to do a few other things to make sure that this is not going to kill our SME sector. I get it. Fair enough. But in reality, I think this is one where the government may move a bit faster than what the Attorney General has suggested. So there is no doubt this is on the way out. And until this is gone, we can’t even get anywhere close to adequacy with the EU. So it is an important one. But I think you’ll see a faster move on this – as I do with the employee records exemption. In fact, they’ve been a little bit more clearer on the employee records exemption that it’s got to go and it’s got to go in a reasonable time frame. But they have suggested more consultation. My bet – and please contact me when I get this horribly wrong – is that the government will almost immediately get rid of employee records. They might do a little bit for small business because of the potential impact on the economy and we can’t afford it at the moment. But the employee records exemption, I don’t think that has a lot of legs and I don’t think there needs to be more consultation. So I can see that being eased out. Already they’re talking about significant changes to it, even if it stays, which is the mandatory data breach notification would apply. Also, they want to look at things – which is a little bit vague – ensuring that, you know, employees’ personal information is treated fairly and all that. I think the ship has sailed. The Fair Work Commission has already had a couple of cases where it said forget the employee records exemption for collection. It doesn’t apply. It may apply once you’ve collected it. But in order to collect personal information or sensitive in particular, off an employee for sensitive, you still need consent and you still need to give them a notice for just ordinary collection. So it’s kind of been eroded and eroded and eroded. So, yeah, my bet is that one will go pretty quickly. |
DT: | And, you know, even in the absence of Privacy Act obligations, you’ve still got a general duty of care. You’ve got common law obligations of confidentiality. Contractual obligations under the employment agreement. And so once you layer over that whole mesh mandatory data breach notification, you know, if it walks like a duck and quacks like a duck, it’s starting to look like a duck. | |
AC: | And look, most businesses are already, you know, seriously limiting their reliance on the employee records exemption. It’s almost disappeared with the largest and it’s close to disappearing with the midsize. So, you know, we don’t have many clients that come to us and say; “oh, no, we’re OK, we don’t have to notify anyone. It’s the employee’s records exemption”. It’s also an indication of how you’re dealing with your employees. And no employer wants to be caught out being sneaky. So, yeah. | |
DT: | Yeah, absolutely. You’ve got to have that framework, you’ve got to have that infrastructure in place for monitoring and reporting for your customer data. I think we talked about this last time. Why wouldn’t you have that for your customer data? | |
AC: | Exactly. | |
DT: | And in terms of the small business exemption, you know, I think this is one of those examples of, in a way, there’s a lot of above and beyond compliance already. It’s a kind of tried example, but take the privacy policy. You know, not every small business needs one – but we kind of… what’s the word I’m looking for here? | |
AC: | Default position? | |
DT: | Yeah, we sort of see whenever a new business starts, even if they clearly fall under the small business exemption, well, what have you got to get? You’ve got to get a terms and conditions and a privacy policy off your favourite document store. | |
00:20:34 | AC: | Every small business is hoping to be a much bigger business. And if you start doing the right thing, it’s a lot easier to keep it going. Plus, the other thing is, you know, in our ecosystem at the moment, a lot of small businesses don’t just exist in a vacuum, they apply to bigger businesses who insist on it, or they’re Commonwealth contractors or state contractors. So a privacy law does actually end up applying to them. So it’d be interesting if they do an impact assessment to work out how many small businesses actually either voluntarily or by contract, or because they work with a bigger enterprise, are actually complying. And I reckon it’s probably – gut feel – about 60, 70% already. |
DT: | Yeah, you’d have to think that the kind of e-commerce digital businesses that don’t have to comply already are just by dint of practice in the market. | |
AC: | Exactly. | |
DT: | And the ones that aren’t are probably unlikely to have to, they might not collect personal information. You know, I’m talking about the very small businesses that are kind of not in digital industries. | |
AC: | Yeah, but even so, I mean, that’s, you mentioned how long this has been in play, and it’s been in the private sector since 2000. But it’s really interesting because, you know, there’s not too many businesses, including small businesses that don’t have some touching of data, that don’t collect some personal information, that don’t have some – especially post-COVID – online presence. So, you know, it’s a really interesting play. In the old days when this was passed, the thought was; “well, you know, there are small businesses that don’t collect any personal information. So this is easy, we can exempt them, they don’t have to worry about it”. But really, I’d suspect that 98% of small businesses collect some form of personal information. | |
DT: | You think about it, you know, even your lawnmower, they’ve got an online form on the website. The coffee shop with an ordering app. I mean, these are collecting… | |
AC: | In my case the donut store! | |
DT: | … names, emails, mobile phones. Does the donut store have an online order? | |
AC: | Yeah, unfortunately, yes. So you can order drive by, and… no I won’t tell people about that. | |
00:22:37 | DT: | That is a risk. Now, let’s talk about some of the other recommendations in the report, some of the things that are likely to become law soon. One thing we talked about that exists under the GDPR, doesn’t presently exist in the Australian Privacy Act, is the right of erasure. |
AC: | You’re really pushing all the buttons today, David, seriously! | |
DT: | I know which ones to press. And this is kind of very closely related, well, it is very closely related, to one of your famous three cannot’s. Right – you can’t keep it forever. | |
AC: | Yes. | |
DT: | So the report has suggested that we have a GDPR-like right of erasure. For listeners who haven’t listened to your previous episode, and if you haven’t, I’d encourage you to go and listen to it. Gives you lots of context for this one to start with, but it’s also a great episode. What is a right of erasure? What does that look like under the GDPR? And what could it look like here? | |
AC: | Yeah, and look, I think, let me start by saying this. There is some detail in some of the recommendations and limited detail for some of the others. And for this one, it’s probably in that latter category, that they’ve suggested it. So we’re all thinking it’s going to be like what’s in GDPR land. And I think that’s probably right. And the concept is, I’ll sort of explain what the concept is, but I’ll explain why I don’t think we need it here and why I’m not a huge fan of it. The concept is that I can phone up Telstra and say; “guys, I’m really sorry, but I’ve had enough. I’m moving to somewhere else. And I want you to forget me”. Now, the right to be forgotten or erasure, as you say, but the euphemism is the right to be forgotten, it sounds pretty neat; “Oh, okay, okay, fair enough. Well, we’ll just stop processing your information”. In GDPR world, that’s not only what it means. It means that in this case, the company – or Telstra, as I mentioned – has to go through all of their records, all of their databases, all of their third parties, and remove David or Alec completely. So it is an over-the-top response. There was argument at the time that it actually wasn’t intended for business at large. It was intended for social media and online. You know, when you say stupid stuff on social media or something is said stupid about you and you could get it removed. | |
DT: | This is one of those examples of where the kind of public parlance around the concept really diverges from the legislative or the legal, because I think we do think of the right to be forgotten very much in those terms of, well, some of the high-profile litigation in the EU about just that circumstance, news articles, social media posts that are damaging to someone’s reputation. They’re not untrue, they’re not defamatory, but they’re embarrassing. TIP: The concept of the right to be forgotten is a relatively recent development in the realm of data protection and privacy laws. In 2014, the Court of Justice of the European Union made a significant ruling in the case of Google Spain v Spanish Data Protection Agency (Agencia Española de Protección de Datos (AEPD)), which held that search engine operators such as Google were responsible for the processing of personal data referring to individuals published by 3rd parties. As a result of this judgment, individuals gained the ability to request search engine operators to remove specific search listing results. Within a month of the ruling, approximately 100,000 delisting requests were submitted. By 2020, Google reported receiving nearly 1 million requests to delist almost 4 million links, according to their Transparency Report. | |
00:26:09 | AC: | And in the old days, you know, you would have to have said; “what paper was that in about David? What university did he go to? That stupid thing he did, I have to go to a microfiche and look it up”. So there was an inbuilt and inherent forgetting of stuff in all the inability to actually publicise, press a button and publicise it really quickly. Whereas the internet of course is forever as we know, and it’s there forever. So look, it’s not a bad right, but in a business context outside of social media or the internet, they will really struggle because there’s a lot of businesses with systems that don’t necessarily talk to each other or are legacy. Unfortunately, sometimes they don’t even know where all their data is, that’s my comment early on. But I mean, there are some real concerns and we already have, and this is my pet peeve. APP 11.2, which is the obligation to delete or de-identify once used for the notified purpose and if there’s no specific express legal obligation to keep it in an identified form. So if that was enforced better, we would actually significantly minimise the personal information that’s kept about people anyway. But for me, this is a huge impost on business. I mean, in Europe, this caused a great deal of concern. There was a lot of spend on tech in order to be able just to meet this obligation. Huge. |
DT: | Does it apply to – I suppose we’re going to talk about de-identification and re-identification a bit later – which was one of the more… | |
AC: | Now you’re making me happy. | |
DT: | That was one of the more curious ones for me, but does that right to be forgotten extend to de-identified data? Is it possible to de-identify metadata and continue to store that for analytical purposes? | |
00:27:54 | AC: | Yeah, so let’s jump into that. At the moment, the right to be forgotten in Europe is related to personal data over there or personal information here. So data that is subject to that definition and does identify or can identify the individual. It doesn’t apply to de-identified, but I’ll put an asterisk there, we’ll come back to it. But it really is a difficult concept, and it’s going to be made worse because one of the big changes in, or proposed changes, is to de-identified information. Now, I’ll be quite honest, I know I’m talking to lawyers and in-house. One of the great get-out-of-jail-free cards for privacy in an organisation, if they didn’t want to get rid of everything, was to de-identify. Now, honestly, it wasn’t done very well in this country. The de-identification was a little bit of a joke; “oh, but we have a look-up table!”. Well, that’s not de-identified, is it? Because you can look it up and reverse engineer it and work out, or; “it’s all encrypted, but we’ve got the key!”. Well, again, not de-identified. So it’s an overreaction, in my view, to the poor practices with regard to de-identification. They have pushed the envelope, and now what we’ve got, for all being pretty bad at it, is a proposed change to the law. Which basically says, even if it’s de-identified, certain obligations are going to continue. Now, hopefully, they’ll work out not the right to be forgotten. But the obligation now will be: there’ll be heightened and more specific obligations on what de-identified means, and therefore what it doesn’t mean, and there’ll be an obligation to continue to monitor that. Because as innovation changes, some de-identified data doesn’t become de-identified, or because of extra data sets that become available. So there’ll be a continual monitoring program, some of the obligations will continue. And one of the main obligations is that if you release that anywhere, you have an obligation to ensure it is never re-identified. So we are talking two speeds of privacy law. Now, we’re going to have privacy obligations on de-identified and privacy on personal information. Which is insane. And all businesses will default to the higher to cover it all. They won’t be running two totally different systems, one for de-identified and one for not. So there’s real issues with that one, and again, it’s been a little bit of a tool that we’ve used to avoid the Privacy Act when de-identification is done properly, because once it was de-identified, it used to be out. No longer there will be obligations applied. |
DT: | And that’s probably really the sleeper big change in all of this, because personal information is really the heuristic by which you measure anything to do with the Privacy Act. | |
AC: | Not anymore, obviously! | |
DT: | Yeah, so it’s a complete change to even the subject matter of the law. | |
AC: | Yeah, it is a quantum leap. And the other one that goes along with it, which is, I think, another sleeper which people have not appreciated – because the right to be forgotten gets all the press and some of the other things – they want to change the definitions of personal and sensitive information. At the moment, we have a definition, and this is a very lawyer-y thing, so apologies in advance. We have a definition that says “about a person”, right? And that has been interpreted by tribunals, courts, to actually apply some restrictions. Whether your car is in good condition or not when you bring it into the mechanic has been held not to be personal information. It’s about your car, it’s not about the individual. I would argue that it’s the way you treat the car and the fact that you don’t put oil in it and that shows the sort of person you are, but nevermind. But that is about to change. So there was always that ability to look at the word “about”; “is it about, David? Is it about, Alec?”. But now they’re changing it to the GDPR definition, which is “related to”. So that car example disappears because it’s my car; it’s “related” to me. Therefore, whatever you’re going to say about my car is related to me. So that’s another big one which will actually increase – I mean, we did this for a client recently – we reckon it’s going to increase the amount of information that is now caught by the Privacy Act by about 30% for a client. Just by changing those definitions. | |
DT: | And can you tell me a bit about the impetus or the thinking behind that change? Because I suppose, I’m thinking about the policy objectives and I’m wondering what that information that’s not about a person, it’s not sensitive information, it’s not health or financial information. What is that data that’s not under the protection of Privacy Act today that is sensitive enough to require that kind of regulatory attention? | |
00:32:48 | AC: | Well, it’s a great question, but you’re coming at it the wrong way. It’s more about this overarching “we want to be more like GDPR”. So there were a couple of submissions in there that said by using the word “about”, there is a potential restriction. And let’s be honest, our whole lives are digital, our whole lives are online. Is it really sensible to say it’s really got to be “about” when I can connect David with a whole lot of random information. I’m not too excited, but I’m not too unhappy about this change because there were some weird decisions about what about and the car mechanic issue I raised is one example of that. But it really means that you’re now looking at a wider pantheon of data that is going to be related, especially in a digital context and especially when you start to accumulate data sets. So it really is going to mean that we’re now looking at virtually everything you collect if it can in any way be connected to an individual. And in terms of the sensitive; it’s interesting you ask that question because again, well, it’s pretty obviously sensitive information if it’s health about Alec or whatever it may be. But this definition and also some text that they’re thinking of putting in will make it clear that you don’t have to collect the sensitive information. You could join data sets and suddenly realise because of those data sets that Alec’s a diabetic. Bang, you have suddenly collected sensitive and that will now be caught. So data that you collect by your own devices, not directly from the individual because of analytics or inferred data is now going to be both subject also to the personal and sensitive definitions. |
DT: | Interesting. | |
AC: | Yeah, scary. | |
DT: | Yeah but in a way, a lot of these changes are about alignment. They’re about treating a lot of the data that’s collected in the same way. The data “about” and the data “related to” should be treated the same way. That small businesses and other businesses should be treated the same way. Employees and customers should be treated the same way. But then we’ve got this second class of de-identified information that kinda throws that theory out of the water. | |
AC: | Yeah, and look, and it’s a nice theory and I like it, except they’re going out of their way to differentiate children and vulnerable people. That’s another set of the proposals. And with children, they have enunciated really quite well. They want the equivalent – for those listening who’ve done any work in the US with children – the COPPA, which is the Children Online Privacy Protection Act. They’re thinking about a standalone code that will be for everyone that deals with children online, whether they know it or not, that they have to implement. And so it’ll be yet another sort of subset of requirements and privacy principles. Look, the full extent hasn’t come out yet, but they are very keen to do that, of course, with the eSafety Commissioner as well. And then vulnerable persons, again, there’s some thinking which is not bad thinking, it’s really quite nice thinking and sensible thinking that maybe vulnerable persons need a slightly different sort of regime. It might not be, like everyone’s thinking, tougher. It may be more relaxed because you want to be able to deal with vulnerable persons’ information without asking them in front of the spouse that may be abusing them whether they consent to blah, blah, blah. So again, there’s a lot of thinking in there that’s initial stages. But so yeah, we’re also now calling out different areas like dealing with children and vulnerable persons as well. | |
DT: | I guess that makes sense because if you’re moving to a kind of consent for everything sort of model. | |
AC: | Oh, I hope not. | |
DT: | Then, well, but if you are, then it does make sense that, you know, what’s the capacity to give that consent? And if that’s mitigated in some way, then how do you temper that obligation? | |
00:36:37 | AC: | Yeah, and look, the follow-up is, as well as that online privacy thing for those out there listening, the real rubber hits the road when they combine that with their direct marketing stuff that they’re looking at and there’s going to be a whole regime built in about targeting children. In other words, it’s almost going to be prohibited out of existence. So you are looking at, there’s some targeted marketing type things and automated decisions which don’t really worry me that much, but it’s when it’s combined with things like vulnerable persons and children, that’s when you’re seeing some significant impost on business to actually change the way they do things right now in a very significant way. |
DT: | You know, these changes around identified information, collection of information, vulnerable people, children, and also that sort of sensitive data by inference. All of that really is going to increase the cost of collecting data for analytics. | |
AC: | Oh, yeah, absolutely. | |
DT: | And it feels like it’s coming sort of just at this moment that alternatives are becoming available around federated learning or synthetic personal information, the synthetic patient data sets is something that’s really interesting. | |
AC: | And in that sense, I think they have cleverly looked over the horizon. So a lot of these sort of peripheral issues, which if you just read it, you think, why are they worried about this? But I think there’s been some clever people that have been looking at this and what’s coming and what the future is. I mean, it predates the generative AI furor, but some of the proposals would cover it. | |
DT: | Well, yeah, because I think some of these changes 10 years ago, you look at really data-led businesses and you think, well, it’s going to be a huge cost, how are they going to be able to comply with this? But now, when a lot of those machine learning and artificial intelligence techniques exist to create synthetic data or data that is used for training or learning off-premise, there’s, I guess, safe ways around that that still make that viable, even with these restrictions. | |
00:38:57 | AC: | And if these get passed, that’s the whole point. They want to say; “no, that’s not out of scope, that’s still within scope”. If you infer, if you create synthetic data about someone, it’s still at its base information or an opinion about an identifiable individual, or that can be related to an identifiable individual. And GDPR sort of kicked it off with thinking about profiling for marketing purposes. And they said; “well, hang on a minute, there’s a lot of stuff you get there, and if other people get it, there’s inferences about people, and all sorts of things can come out that weren’t intended to come out”. In fact, this is an area where we may one-up the GDPR. We actually may go ahead of what they’re doing, because we’ve had the benefit of what now four years since GDPR came in. And this looking over the horizon. But it will still be difficult for business. If most of these changes come in, David, there will be as much impact as there was for European businesses when the GDPR came in. People are not understanding this at the moment. It costs them a lot of money to buy new tech and new software in order to comply with GDPR. It will be the same in Australia, and people are just not getting that at the moment. You know, US businesses were saying at the time when the US business had to comply with GDPR, they were looking at between two and three and a half million US on average to get ready technologically. Now, okay, let’s take off 15%, because it’s the US, and everything seems to be more expensive over there, but you’re still looking at a huge cost, a huge impost, and the right to be forgotten is front and center the most difficult one, technologically, to do. |
DT: | Yeah, well even just, you know, what you were describing in terms of the inadequacy of the approach to de-identification, technologically speaking, you know, encrypted table columns, and look-up tables, and things like that. You can see that approach, technologically, is really about; “oh well, if there’s a breach, then that information’s not identifiable”. But I suppose what we’re looking at now is what’s not just about a malicious actor getting access to that data, it’s about whether you have access to that data. | |
AC: | And let me just say, if even right now, before these proposals, if there is any way, shape, or form that internally, even another business unit could have a look-up table or re-identify the information, or if you get a new data set, then it’s never de-identified. It’s always personal information. And clients sometimes live in this fantasy land that they’ve taken off Alec and David’s name, and that’s fine. No, de-identification is an art form and a science, and it’s really difficult to do long-term, and it’s something you’ve got to have an ongoing view to. But the moment a certain technology, such as AI, comes along, or the moment a better data set or a new business is acquired, all of a sudden that de-identified information is no longer. And what happens is the clock, it’s a bit simplistic, but the clock resets. So the argument is it’s never been de-identified. So you should have been complying with privacy law since when you first thought it was de-identified. There are some exceptions to that, but there’s some real big issues, and we’re getting a lot of interest from clients as well in terms of; how do we now do this? How do we now run an analytics program in-house? Should we be doing it with a third party so that we’ve de-identified it and there’s no possible look-up internally for this? How do we best deal with these issues, and what do we apply, and what do we need to do, both now and when these new changes come in? | |
DT: | When I first saw this concept of malicious re-identification, I thought, well, if it’s capable of being maliciously re-identified, it’s not very well de-identified, is it? | |
00:42:43 | AC: | No, and that’s the point. And so I think, look, there’s a famous Canadian privacy commissioner, Ann Cavoukian, who I’ve had a few stand-up discussions with over time. I come from a very business point of view, and de-identification was something we needed for our clients. She’s of the view – and there are many people like this – that there’s never de-identification. Nothing is never truly de-identified. It is always re-identifiable. So providing any out or opt out of for de-identifying just doesn’t work. So, and I have to admit this – and she won’t listen to this podcast – but given the developments recently with generative AI, et cetera, she may be getting close to being correct. |
DT: | Yeah, I mean, it kind of goes back to the definition of personal information, right? Information from whom a person can be identified, not that necessarily overtly does it. | |
AC: | Exactly, or that it is identified at that point in time. So, and so we aren’t really facing, and I think that’s the recognition in terms of ongoing obligations for de-identified, because they’re sort of saying; “well, guys, we know that there’s no such thing as de-identified, really”. | |
00:43:52 | DT: | Absolutely. Now, before we go, one other topic I wanted to cover with you. We talked about tort of privacy last time. |
AC: | Oh, yeah. | |
DT: | Right of direct action. We last spoke about it. Well, you weren’t willing to give away the secret, but that there might have been a kind of roundabout way of pursuing a, not a tort of privacy, but in a way, a direct action. | |
00:44:13 | AC: | Oh, yeah, I’m certainly not giving it away to competitors listening. But look, the good news is, for those that are interested in a tort, and those that are interested in direct action, the proposals do canvas both. The tort is a little bit; “let’s do some more work, let’s do some more thinking”. I don’t think it’s got a lot of legs, to be honest. But a little bit more focus was the direct action. So a couple of things, they want to look at the ability, like in New South Wales, you can go to the New South Wales Civil and Administrative Tribunal if you’re an individual, with a complaint on privacy against the government, there is a direct right to a tribunal. They’re thinking of implementing something like that, and they’ve also talked in the proposals about enhancing the tools available to the court. So what the court can do, what the court can order, what the process looks like. So I think a direct right of action in certain circumstances is quite possible. But again, they’re rejigging the AAT, so it might be a while before that happens. They’ve also looked at what the privacy commissioner can do, and they’ve given them a lot more on the spot fine types, or they want to give them a lot more on the spot fine type portfolio, responsibility fines, enforceable undertakings. The sleeper there is people need to read through the whole chapter because they also want to give them the right to publish, like not just decisions, but to talk to the press, to share information with government and companies. So we are talking the ability to name and shame a lot more than they have now, which is also an interesting ploy. There are various ways, and those of you out there that are practicing privacy think a little bit laterally, because there are other ways currently to get direct actions. And I mean, some of them have been canvassed in the class actions that have risen out of the high profile data breaches, but not all of them. And they all have hairs on them, they’re all not fantastic, they are open to issues. So if this comes through with the direct right of action, it’ll be a lot more straightforward and a lot simpler. TIP: This direct right of action falls under proposal 26.1 in the Report. Broadly, the proposal would require a formal complaint to be made to the Office of the Australian Information Commissioner or Federal Privacy Ombudsman by a party whose privacy has been interfered with by an APP entity. The complaint would then be assessed for potential conciliation either by the OAIC itself or through a recognised External Dispute Resolution (EDR) scheme. If the OAIC or the EDR determines that there is no reasonable likelihood of resolving the complaint through conciliation, or if the OAIC decides that the complaint is not suitable, the complainant will have the option to escalate the matter to a court – either the Federal or FCFCOA. The relevant court has the discretion to issue any appropriate order it deems necessary, including the awarding of damages or any other suitable remedy. The issue that we always face in a privacy action of any description is; what are the actual damages? And proving something beyond. Now in the state tribunals, there’s a feeling that the hurt and suffering that is suffered is real for a privacy breach. They don’t have to show that they’ve lost their income or they’ve spent thousands of dollars on doctors or psychiatrists, et cetera. There is also something there. And the privacy commissioner federally has always awarded what they call non-economic damages for hurt, pain, suffering, because it’s a privacy breach. And the more sensitive information, the more that amount is. But yeah, it’s a really interesting space and I think there’s going to be a lot of interest in these class actions to see where they go. I’m not sure all of them are framed brilliantly and some of them will fail and certainly some of the areas. And that could sit back using those areas in the future. But if one or two of the areas get a little bit of traction then I think within law reform following with these proposals, you might actually cement the right way to do it. |
00:48:27 | DT: | I wonder if it could, this is just sort of wild guessing at this point, I wonder if it could almost look a bit like the Australian consumer law in that although we typically think of a lot of those provisions as actionable for a private individual or actionable for a private company, in reality, the vast majority of those provisions are enforced by… |
AC: | ACCC. | |
DT: | … it’s your provisions right at the end there in the 200s that give you the private right of action because it enables a court to award damages for their breach. So I wonder whether there’s almost a model a bit like the ACL that could come in here. | |
AC: | Yeah, absolutely. I think that’s something we’ve thought about but I think it’s very clever because you then get this ability for the regulator to go and cut the path and then for private individuals if they wish to follow that approach or again, the regulator may get a decision which has precedential value and then people can go forward and say; “well, if they’re not doing this and this, that case said they’ve got a problem. They’ve not done that with me, I’m going and having a go”. | |
DT: | It’s an elegant solution to kind of, as you say, cutting the path, giving the same cause of action to both the regulator and the private individual in a way. I mean in the ACL, your cause of action isn’t technically under section 18 if you’re seeing damages as a private individual but for all intents and purposes, that’s the section that you’ve got to prove the breach of and that’s also the section that the regulator has to prove the breach of. So you’ve got this nice symmetry there, useful to the courts, useful to practitioners and useful to the punter who wants to walk after the ACCC. | |
00:50:03 | AC: | No, definitely. And look, I think it’s watched this space on that because I, you know, and this is no disrespect to the OAIC or the Privacy Commissioner but having to deal with all of their day job enforcement actions and then decide thousands of decisions that come their way and even more thousands of complaints, I mean, they really need to be a lot bigger than they are in order to handle all of that. I don’t think we should take away the right to make a complaint to the Privacy Commissioner but a direct right of action and or a regulator sort of almost in inverted commas class action or particular case that proves a point, I think is a very valuable tool. |
DT: | Well, as you said, another space to watch. We’ll have to get you back a third time when the recommendations are accepted. | |
AC: | Yeah, well, we’ll see what they suggest but I think our gut feel is 80% of them in pretty much the form that they’ve been recommended will go through. So it will be an interesting time but I think everyone out there, you need to be talking to your clients because this is going to be a big financial and time cost to them to get ready for this. | |
DT: | And the sooner you get ready for it, the better. | |
AC: | Exactly. I mean, you don’t want to prepare for things that aren’t going to be changed but yeah, you’ve certainly got to be prepared and improving current practices to the current regulation is a good first step. I know that sounds really basic but getting compliant with what you have to be now will put you in good stead to take the next step. but if you’re going from zero to 100, it’s going to be a lot harder. | |
DT: | Absolutely. Before we go, you left us with a practical tip that I still think about in your first interview, your three cannots. Do you want to give us those again? | |
AC: | Yes, you cannot collect whatever you want, you cannot use it for whatever you want and you cannot keep it for however long you want. | |
DT: | Kind of privacy act in one paragraph, right? | |
AC: | Yeah, well, I know. I get in a lot of trouble from the team about it, there’s a lot more behind it but it’s a pretty good rule of thumb. | |
DT: | Lawyers, they’re such sticklers. You’ve got kind of a fourth cannot coming out of this report, right? At a risk of ruining the rule of three. | |
00:52:07 | AC: | Yeah, we might start another three. But look, honestly, the thing we’ve been talking about a lot is my fourth cannot. You cannot rely on de-identification. If these proposals get passed on de-identification, we’ve all relied on it to get out of jail free in terms of privacy. So if they are passed, the fourth cannot is; you cannot rely on de-identification. |
DT: | Yeah, absolutely. I think that’s really the big takeaway for me from this and a huge issue in the report that a lot of people will miss. | |
AC: | Yes. | |
DT: | Well, Alec, thanks so much for joining me today on Hearsay. | |
AC: | Thank you. | |
00:52:53 | Ross Davis: | As always, you’ve been listening to Hearsay the Legal Podcast. I’d like to thank our special guest, Alec Christie, for being a part of it. As you well know, if you’re an Australian legal practitioner, you can claim one Continuing Professional Development point for listening to this episode. Whether an activity entitles you to claim a CPD unit is self-assessed, but we suggest this episode entitles you to claim a substantive law unit. More information on claiming and tracking your points on Hearsay can be found on our website. Hearsay the Legal Podcast is, as always, brought to you by Lext Australia, a legal innovation company that makes the law easier to access and easier to practice, and that includes your CPD. Hearsay is recorded on the lands of the Gadigal People of the Eora nation and we would like to pay our respects to elders past and present. Thanks for listening and see you all on the next episode of Hearsay! |
You must be a subscriber to access this content.